Petitioners Muhammad Fakhri Hadisyah and Muhammad Rizky Fadhillah attending the decision pronouncement hearing on the material review of Law No. 27 of 2022 on Personal Data Protection on Monday (25/05) at the Courtroom. Photo by MKRI/Ifa.
Jakarta (MKRI) – The Constitutional Court rejected in its entirety Petition No. 133/PUU-XXIV/2026 on the material review of Article 62 paragraph (2) of Law No. 27 of 2022 on Personal Data Protection (PDP Law). However, the Court reaffirmed the state's obligation to control personal data transfer as a part of data sovereignty.
“To protect privacy right of personal data subject, promote and guarantee rights on personal data protection in all jurisdictions, including overseas,” Justice Enny Nurbaningsih read out the legal considerations of Decision No. 133/PUU-XXIV/2026 on Monday, May 25, 2026, at the Plenary Courtroom, Jakarta.
Moreover, the state’s efforts to protect personal data must be carried out holistically, as provided by the principles of personal data processing, personal data classification, and personal data subject rights and their exceptions, and by the existing legal basis for processing personal data, including provisions on the obligation and processor of personal data. The extent of such regulation is part of the protection and guarantee of citizens’ constitutional rights to personal data protection, as guaranteed by Article 28G paragraph (1) of the 1945 Constitution of the Republic of Indonesia, which must be realized in accordance with the provisions of Law No. 27 of 2022.
According to the Court, the main constitutional issue of the norm in Article 62 paragraph (2) of Law No. 27 of 2022 relates to the substance that mentions that international cooperation conducted by the government and the government of another country or an international organization related to personal data protection is carried out based on laws and principles of international law. The implementation of such a substance, in principle, cannot be understood partially, but must also be read along with other norms in Law No. 27 of 2022.
In other words, Article 62 paragraph (2) of Law No. 27 of 2022 must be understood wholly or comprehensively. In this case, the norm in Article 62 paragraph (2) of Law No. 27 of 2022 has relations with norms in Article 56 paragraphs (1), (2), (3), and (4) of Law No. 27 of 2022, which has been ruled in Constitutional Court Decision No. 137/PUU-XXIV/2025 pronounced in an open plenary session on January 19, 2026.
In the decision, the Court declares that there are no constitutional issues with the norms in Article 56, paragraphs (1), (2), (3), and (4), of Law No. 27 of 2022. However, to understand the relationship between Article 62 paragraph (2) of Law No. 27 of 2022 and Article 56 paragraph (1), (2), (3), and (4) of Law No. 27 of 2022, it is important to the Court to cite the norm in Article 56 of Law No. 27 of 2022.
The article in full states, (1) A Personal Data Controller may transfer Personal Data to Personal Data Controllers and/or Personal Data Processors outside the jurisdiction of the Republic of Indonesia in accordance with the provisions stipulated in this Law; (2) In carrying out the transfer of Personal Data as referred to in paragraph (1), the Personal Data Controller shall ensure that the country in which the receiving Personal Data Controller and/or Personal Data Processor is domiciled has a level of Personal Data Protection that is equal to or higher than that provided under this Law; (3) In the event that the requirement referred to in paragraph (2) is not fulfilled, the Personal Data Controller shall ensure that there is adequate and binding Personal Data Protection; (4) In the event that the requirements referred to in paragraphs (2) and (3) are not fulfilled, the Personal Data Controller shall obtain the consent of the Personal Data Subject; (5) Further provisions regarding the transfer of Personal Data shall be regulated by Government Regulation.
Therefore, the international cooperation substance as stipulated in Article 62 paragraph (2) of Law No. 27 of 2022, which becomes an integral part of the essence of Article 62 paragraph (1) of Law No. 27 of 2022, is closely related to the provision of Article 56 of Law No. 27 of 2022, which regulates personal data transfer outside the Indonesian legal jurisdiction. By taking a closer look at the construction of the norm in Article 56 paragraph (1) of Law No. 27 of 2022, the transfer of personal data outside the Indonesian legal jurisdiction may be carried out only from a personal data controller to another personal data controller/processor.
A Personal Data Controller refers to any person, public body, or international organization acting individually or jointly in determining the purposes of and exercising control over the processing of data. Meanwhile, a Personal Data Processor refers to any person, public body, or international organization that processes personal data, individually or jointly, on behalf of the Personal Data Controller.
Moreover, related to the construction of norm in Article 56 paragraph (2) of Law No. 27 of 2022 in relation to the understanding of Article 62 paragraph (2) of Law No. 27 of 2022, which becomes an integral part of Article 62 paragraph (1) of Law No. 27 of 2022, according to the Court, data transfer activities, which include high personal data processing, the main priority its to protect and guarantee citizens’ constitutional rights as data subjects, as reaffirmed in Constitutional Court Decision No. 151/PUU-XXIV/2024 pronounced in an open plenarry session on July 30, 2025.
Subsequently, in Constitutional Court Decision No. 137/PUU-XXIV/2025, the Court not only bases its assessment on the provisions of Article 56 paragraph (2) of Law No. 27 of 2022 to assess the adequacy of the other countries as the receiver of personal data transfer, but also uses Articles 59 and 60 of Law No. 27 of 2022 as the basis. In this context, personal data transfer not only relies on the personal data controller to ensure equal protection in the recipient countries as the receivers of personal data transfer, but also requires the existing and functional Personal Data Protection Agency (LPDP) as a supervisory authority that carries out evaluation, supervision, and technical policy to assess the equal protection.
“Therefore, related to the final, authoritative, and binding authority to determine the list of states that are deemed equal, the authority to provide guidance and authority to exercise law enforcement is under the LPDP,” Justice Enny stated.
Also read:
Reciprocal Trade Between Indonesia and the US Deemed to Risk Personal Data Abuse
Petitioners Add Evidence of Personal Data Abuse
The case was submitted by four students: Fairuz Najwa Sahara Tanjung, Muhammad Fakhri Hadisyah Putra, Dela Puspita Ainnur Fadillah, dan Muhammad Rizky Fadhillah. the petition was submitted following the signing of the Reciprocal Trade Agreement between Indonesia and the United States. The agreement is considered to increase the risk of personal data abuse by foreign parties not subject to Indonesian law, given the lack of government oversight of personal data protection.
They challenge Article 62 paragraph (2) of the PDP Law, which reads “international cooperation in the implementation of this law shall be carried out in accordance with the provisions of statutory regulations and the principles of international law”. They believe that the article contradicts Article 28G paragraph (1) of the 1945 Constitution of the Republic of Indonesia, which reads “Every person has the right to protection of self, family, honor, dignity, and their property, and has the right to security and protection from threats of fear to exercise or not to exercise his human rights.”
Decision No. 133/PUU-XXIV/2026 (in Indonesian)
Author: Mimi Kartika
Editor: Lulu Anjarsari P.
PR: Andhini S.F.
Translator: Rizky Kurnia Chaesario
Disclaimer: The original version of the news is in Indonesian. In case of any differences between the English and the Indonesian versions, the Indonesian version will prevail.
Monday, May 25, 2026 | 18:27 WIB 68